Oracle vulnerability
- From: Nirmalya Das <nirmalya@xxxxxxx>
- To: oracle-l <oracle-l@xxxxxxxxxxxxx>
- Date: Mon, 6 Feb 2006 10:27:38 -0800
I have an Oracle 10g (10.1.0.4.0) installation....
How important is the following patch.....
Does anyone already applied this patch....anything to watch out for?
Oracle vulnerability:
Oracle is advising its customers to quickly apply a critical database patch
the company issued last week. Security experts warn the hole could allow
even unsophisticated users to take control of Oracle databases.
The patch, known as DB18, fixes a hole that affects most supported versions
of the Oracle database software, including Oracle versions 8, 9 and 10. The
hole is "very severe" and allows users to bypass the Oracle database's
authentication and become administrative "super users," according to Shlomo
Kramer, CEO of Imperva, which discovered the hole. However, Kramer and
others say Oracle may be downplaying the seriousness of the threat out of
concern that malicious hackers could be tipped off to the severity of the
issue.
Oracle Corp. said that it patches security holes in the order of their
severity and categorized DB18 as a serious vulnerability with the potential
for wide impact in the January Critical Patch Update [CPU], according to an
e-mail statement.
The security hole is part of the standard user authentication mechanism used
by Oracle database clients, according to information published by Imperva.
That authentication consists of two separate client requests and server
responses.
By manipulating a variable in one of those requests that is used to set the
language and location of the client, ordinary users with "create session"
privileges can run commands as SYS, the highest-level Oracle account,
Imperva said.
The patch process need be taken seriously and can be downloaded from the
below site:
http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html
TIA
Nirmalya
--
//www.freelists.org/webpage/oracle-l
Other related posts:
